Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) LAN security errors (c=101, p=67) (was: Max 6000 - LAN security errors during heavy load)



On Fri, 09 Apr 1999 17:22:46 -0700, John Wells wrote:
>At 05:09 PM 4/9/99 -0500, John Coy wrote:
>>I have several MAX 6000 terminal servers on my network.
>>I've been experiencing some intermittant problems lately
>>which appear to crop up when the terminal server is heavily
>>loaded.  I am running the 7.0.4 firmware.
>>
>>What appears to happen is when the Max has more than 72 connections,
>>it will give a LAN security error when a user is logging in.
>>There is no reason for this (ie: the RADIUS server is running fine,
>>the user is not already logged in, the user supplied the correct
>>username and password).
>>
>>Rebooting the MAX makes the problem go away.
>>
>>The problem is intermittant.
>>
>>Has anyone else experienced these same problems?  Info/Feedback
>>would be greatly appreciated.
>
>We have a related problem with a MAX 2024, running 7.0.3 (but the 
>problem has likely been there with various 6.x.x releases too)
>
>Some users, some times, get immediately disconnected after 
>authenticating. Syslog shows these calls connecting, and following 
>modem negotiation the RADIUS server log shows that authentication 
>was successful. However, the MAX then immediately disconnects the 
>user. Syslog then gets warning saying "LAN security error" for the 
>username. A few seconds later syslog and RADIUS accounting record 
>the end of the call, with the username and a disconnect code of 101 
>(invalid user) and progress code of 67. (The RADIUS accounting log 
>has only a STOP record and doesn't show the username.)
>
>Our MAX isn't heavily loaded, and I haven't been able to correlate 
>this problem to anything else. Between 5% and 10% of our calls 
>end with this c=101, p=67 combination.
>
>I wish I had an answer, but I don't. We've got a ticket with Ascend 
>on this, and as requested sent them a wanNext trace of one such 
>call, but haven't (yet?) heard back anything helpful.

Last week someone from Ascend spent some time looking at our MAX while I
kept trying to dial in (and repeatedly got c=101, p=67 failures). Turned
out that many of these errors were due to an attempt to use an IP which was
already in use. (And my guess is that the remaining problem calls were due
to client problems triggered by an attempt to use an already-allocated IP).
Ascend suggested checking:
	Ethernet/Mod Config/WAN Options.../Pool only=Yes
This was "No", so yesterday I set it to "Yes" -- so far no "c=101" calls.

Anyone know why the default for this should be "Pool only=No"?

>John Wells
>School District 79 - Cowichan Valley
>Duncan, BC, Canada
>jwells@sd79.bc.ca

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>